CVE-2023-54114 (GCVE-0-2023-54114)
Vulnerability from cvelistv5
Published
2025-12-24 13:06
Modified
2025-12-24 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
skb_push+0x91/0xa0
nsh_gso_segment+0x4f3/0x570
skb_mac_gso_segment+0x19e/0x270
__skb_gso_segment+0x1e8/0x3c0
validate_xmit_skb+0x452/0x890
validate_xmit_skb_list+0x99/0xd0
sch_direct_xmit+0x294/0x7c0
__dev_queue_xmit+0x16f0/0x1d70
packet_xmit+0x185/0x210
packet_snd+0xc15/0x1170
packet_sendmsg+0x7b/0xa0
sock_sendmsg+0x14f/0x160
The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.
nsh_gso_segment
nhoff = skb->network_header - skb->mac_header;
__skb_pull(skb,nsh_len)
skb_mac_gso_segment
mpls_gso_segment
skb_reset_network_header(skb);//skb->network_header+=nsh_len
return -EINVAL;
skb_gso_error_unwind
skb_push(skb, nsh_len);
skb->mac_header = skb->network_header - nhoff;
// skb->mac_header > skb->headroom, cause skb_push panic
Use correct mac_offset to restore mac_header and get rid of nhoff.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 Version: c411ed854584a71b0e86ac3019b60e4789d88086 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nsh/nsh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f88c8d38ecf5ed0273f99a067246899ba499eb2",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "d2309e0cb27b6871b273fbc1725e93be62570d86",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "435855b0831b351cb72cb38369ee33122ce9574c",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "02b20e0bc0c2628539e9e518dc342787c3332de2",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "cdd8160dcda1fed2028a5f96575a84afc23aff7d",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "6fbedf987b6b8ed54a50e2205d998eb2c8be72f9",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "cb38e62922aa3991793344b5a5870e7291c74a44",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "c83b49383b595be50647f0c764a48c78b5f3c4f8",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nsh/nsh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()\n\nAs the call trace shows, skb_panic was caused by wrong skb-\u003emac_header\nin nsh_gso_segment():\n\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1\nRIP: 0010:skb_panic+0xda/0xe0\ncall Trace:\n skb_push+0x91/0xa0\n nsh_gso_segment+0x4f3/0x570\n skb_mac_gso_segment+0x19e/0x270\n __skb_gso_segment+0x1e8/0x3c0\n validate_xmit_skb+0x452/0x890\n validate_xmit_skb_list+0x99/0xd0\n sch_direct_xmit+0x294/0x7c0\n __dev_queue_xmit+0x16f0/0x1d70\n packet_xmit+0x185/0x210\n packet_snd+0xc15/0x1170\n packet_sendmsg+0x7b/0xa0\n sock_sendmsg+0x14f/0x160\n\nThe root cause is:\nnsh_gso_segment() use skb-\u003enetwork_header - nhoff to reset mac_header\nin skb_gso_error_unwind() if inner-layer protocol gso fails.\nHowever, skb-\u003enetwork_header may be reset by inner-layer protocol\ngso function e.g. mpls_gso_segment. skb-\u003emac_header reset by the\ninaccurate network_header will be larger than skb headroom.\n\nnsh_gso_segment\n nhoff = skb-\u003enetwork_header - skb-\u003emac_header;\n __skb_pull(skb,nsh_len)\n skb_mac_gso_segment\n mpls_gso_segment\n skb_reset_network_header(skb);//skb-\u003enetwork_header+=nsh_len\n return -EINVAL;\n skb_gso_error_unwind\n skb_push(skb, nsh_len);\n skb-\u003emac_header = skb-\u003enetwork_header - nhoff;\n // skb-\u003emac_header \u003e skb-\u003eheadroom, cause skb_push panic\n\nUse correct mac_offset to restore mac_header and get rid of nhoff."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:36.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2"
},
{
"url": "https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86"
},
{
"url": "https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c"
},
{
"url": "https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2"
},
{
"url": "https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d"
},
{
"url": "https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9"
},
{
"url": "https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44"
},
{
"url": "https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8"
}
],
"title": "net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54114",
"datePublished": "2025-12-24T13:06:36.214Z",
"dateReserved": "2025-12-24T13:02:52.519Z",
"dateUpdated": "2025-12-24T13:06:36.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54114\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:13.323\",\"lastModified\":\"2025-12-24T13:16:13.323\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()\\n\\nAs the call trace shows, skb_panic was caused by wrong skb-\u003emac_header\\nin nsh_gso_segment():\\n\\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\\nCPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1\\nRIP: 0010:skb_panic+0xda/0xe0\\ncall Trace:\\n skb_push+0x91/0xa0\\n nsh_gso_segment+0x4f3/0x570\\n skb_mac_gso_segment+0x19e/0x270\\n __skb_gso_segment+0x1e8/0x3c0\\n validate_xmit_skb+0x452/0x890\\n validate_xmit_skb_list+0x99/0xd0\\n sch_direct_xmit+0x294/0x7c0\\n __dev_queue_xmit+0x16f0/0x1d70\\n packet_xmit+0x185/0x210\\n packet_snd+0xc15/0x1170\\n packet_sendmsg+0x7b/0xa0\\n sock_sendmsg+0x14f/0x160\\n\\nThe root cause is:\\nnsh_gso_segment() use skb-\u003enetwork_header - nhoff to reset mac_header\\nin skb_gso_error_unwind() if inner-layer protocol gso fails.\\nHowever, skb-\u003enetwork_header may be reset by inner-layer protocol\\ngso function e.g. mpls_gso_segment. skb-\u003emac_header reset by the\\ninaccurate network_header will be larger than skb headroom.\\n\\nnsh_gso_segment\\n nhoff = skb-\u003enetwork_header - skb-\u003emac_header;\\n __skb_pull(skb,nsh_len)\\n skb_mac_gso_segment\\n mpls_gso_segment\\n skb_reset_network_header(skb);//skb-\u003enetwork_header+=nsh_len\\n return -EINVAL;\\n skb_gso_error_unwind\\n skb_push(skb, nsh_len);\\n skb-\u003emac_header = skb-\u003enetwork_header - nhoff;\\n // skb-\u003emac_header \u003e skb-\u003eheadroom, cause skb_push panic\\n\\nUse correct mac_offset to restore mac_header and get rid of nhoff.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…